python/semanage: Improve handling of "permissive" statements

- Add "customized" method to permissiveRecords which is than used for "semanage permissive --extract" and "semanage export" - Enable "semanage permissive --deleteall" (already implemented) - Add "permissive" to the list of modules exported using "semanage export" - Update "semanage permissive" man page Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-09-27 16:13:47 +02:00 · 2019-09-27 16:13:47 +02:00 · 3a9b4505bf
commit 3a9b4505bf
parent 9d8fd6e9b9
3 changed files with 18 additions and 4 deletions
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@ -737,6 +737,11 @@ def handlePermissive(args):

    if args.action == "list":
        OBJECT.list(args.noheading)
+    elif args.action == "deleteall":
+        OBJECT.deleteall()
+    elif args.action == "extract":
+        for i in OBJECT.customized():
+            print("permissive %s" % str(i))
    elif args.type is not None:
        if args.action == "add":
            OBJECT.add(args.type)
@ -752,9 +757,9 @@ def setupPermissiveParser(subparsers):
    pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
    parser_add_add(pgroup, "permissive")
    parser_add_delete(pgroup, "permissive")
+    parser_add_deleteall(pgroup, "permissive")
+    parser_add_extract(pgroup, "permissive")
    parser_add_list(pgroup, "permissive")
-    #TODO: probably should be also added => need to implement own option handling
-    #parser_add_deleteall(pgroup)

    parser_add_noheading(permissiveParser, "permissive")
    parser_add_noreload(permissiveParser, "permissive")
@ -778,7 +783,7 @@ def setupDontauditParser(subparsers):


 def handleExport(args):
-    manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
+    manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
    for i in manageditems:
        print("%s -D" % i)
    for i in manageditems:
--- a/python/semanage/semanage-permissive.8
+++ b/python/semanage/semanage-permissive.8
@ -2,7 +2,7 @@
 .SH "NAME"
 .B semanage\-permissive \- SELinux Policy Management permissive mapping tool
 .SH "SYNOPSIS"
-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
+.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)

 .SH "DESCRIPTION"
 semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.  semanage permissive adds or removes a SELinux Policy permissive module.
@ -18,9 +18,15 @@ Add a record of the specified object type
 .I   \-d, \-\-delete
 Delete a record of the specified object type
 .TP
+.I   \-D, \-\-deleteall
+Remove all local customizations of permissive domains
+.TP
 .I   \-l, \-\-list
 List records of the specified object type
 .TP
+.I   \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
 .I   \-n, \-\-noheading
 Do not print heading when listing the specified object type
 .TP
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
                l.append(name.split("permissive_")[1])
        return l

+    def customized(self):
+        return ["-a %s" % x for x in sorted(self.get_all())]
+
    def list(self, heading=1, locallist=0):
        all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
        if len(all) == 0: